14 DAY TRIAL // Security researchers evaluated the smart Nest Thermostat, now owned by Google, and observed that despite the tough security measures available for the device, it can be easily compromised in 15 seconds through its USB connection.
By leveraging the control over the smart device, a potential attacker can achieve access to sensitive information, and ultimately, gain access to all the devices connected to the home network.
Nest hardware pieces are designed to control the air-conditioning unit, based on heuristics and learned behavior; but it can also connect to the home network and interface with the Nest Cloud service, which allows the user remote control over the unit.
Given that they collect usage statistics in order to learn what the user needs, these devices are not short on security. They have their firmware signed using PKCS7 cryptographic standard and firmware verification relies on pinned certificates; moreover, communication of sensitive information is encrypted.
However, a team of security researchers found a way in, although it requires physical access to the device, for the moment.
Undergrad Grant Hernandez, Orlando Arias and Ph.D Yier Jin of the University of Central Florida, along with independent researcher Daniel Buentello, presented their findings this year, at the Black Hat security conferences in Las Vegas.
Because of the security checks available at operating system level, they chose to carry out an attack targeting the hardware of the device, and they found the USB connection to be an effective backdoor.
Researchers say that by doing a global reset (press the button for ten seconds), the peripheral booting of the device is triggered, and because of a pin being exposed in an unpopulated header in the main circuit board, there is the possibility to execute the bootin procedure from USB storage.
Since the ROM runs no crypto verification of the loaded malicious code, an attacker has free hand running it.
Some limitations exist, though. “There is a strict timing window in which the ROM will be listening for any incoming program data, the initial payload must be x-loader, which is copied to SRAM and must initialize all remaining subsystems. Subsequent payloads must be able to fit and execute in SDRAM,” researchers write in their whitepaper.
Another problem faced by the experts was that the updater that could upgrade the firmware ran with the highest privileges and could delete the backdoor planted on the device.
The solution found was to use a custom kernel that protected the malware from being modified in any way.
A compromised Nest Thermostat allows an attacker to introduce rogue services in the network. The team of security experts provides the following malicious scenarios that can be carried out:
“If a network uses DHCP internally, the Nest Thermostat can be made to act as a DHCP server. When a client node tries to resolve an IP address and DNS server using this protocol, a response can be given to have the client node use our own DNS server, thus having control of what addresses get resolved and to what IP. The Nest could also spoof ARP packets to masquerade as the router, allowing the capture of a targeted computer’s network traffic.”
The risks stemming from this flaw are quite serious, since the flaw provides a threat actor information about the schedule of the target (away detection) as well as the possibility of remote data exfiltration.
